Determined Adversaries

Targeted Attacks

Although attackers have used computer networks to enable espionage for several decades, the widespread recognition of Targeted Attacks as a distinct class of security threat is a relatively recent development. Attacks of this type became publicly known in the mid-2000s following a number of security incidents that were believed to have been perpetrated by, or on behalf of, national governments or other state actors. More recently, reports of similar attacks waged by non-state actors against commercial and government targets for profit, intelligence gathering, or other reasons have increased.

Although Targeted Attacks may be perceived as an evolution of conventional malware activity to more sophisticated levels, it is more accurate to characterize them as the evolution of conventional espionage techniques to target individuals and non-state organizations to a degree not commonly seen in the past. This holds true even where the motive may be purely financial.

Targeted Attacks are technically opportunistic and technology agnostic; the attacker has the resources to use whatever techniques or technologies work. Although Targeted Attacks are sometimes characterized as highly advanced attacks that exploit previously unknown vulnerabilities in software, the reality is often more mundane. Attackers often attempt to leverage the target’s operational weaknesses, such as exploiting long out-of-date software, or unpatched vulnerabilities to gain access to a target. After the target is compromised, the attacker attempts to secure additional footholds within the network by compromising authentication systems, disabling audit capabilities, and even manipulating patch management/deployment servers, in an effort to become stealthier, maintain their position, and better exfiltrate data. Attackers have been observed to expand the scope of such attacks by remotely turning on webcams and telephones in conference rooms to eavesdrop on confidential communications in real time.

Although purely technical attacks are not unknown, most Targeted Attacks use an element of social engineering to gain access to information and sensitive resources more easily than a purely technical approach would allow. The highly targeted nature of these attacks makes it possible for a patient and thorough attacker to successfully trick even a vigilant target. Many such tactics can be considered updated versions of traditional confidence tricks in which an attacker gains the trust of the victim by appealing to basic human emotions and drives, such as curiosity, greed, compassion, and anger. Common tactics can include masquerading as a trusted party or authority figure on the telephone or in instant messenger communications in an effort to obtain the victim’s network credentials, as well as customized and personalized versions of standard phishing attacks that are called spear phishing attacks.

In a typical spear phishing attack, the victim may receive a seemingly legitimate email that includes a malicious attachment or directs the victim to a malicious web page, in an effort to capture logon credentials or to use a browser exploit to download malware to the victim’s computer. Spear phishing web pages often resemble legitimate pages on the victim’s corporate intranet or externally hosted sites designed for legitimate activities, such as reviewing health insurance or employee benefit information. If the victim is accustomed to receiving internal communications about these kinds of sites, it can be difficult to distinguish between links to legitimate external sites and malicious copies.

One spear phishing technique that is often used in Targeted Attacks is the content type attack, in which an attacker sends an employee of the targeted organization an email message with a file attachment that contains an exploit. The attacker can individually tailor the email message to lure the recipient, making content type attacks particularly effective. Microsoft has received content type attack samples from all over the world, written in many different languages, such as the example in the following figure which announces the winner of a competition run by a pharmaceutical company.

Examples of lure message in Japanese

Lure message in Japanese

The goal of the lure email message is to trick the recipient into opening the malicious file attached to the message, and attackers use a variety of psychological tactics to accomplish this goal. Lures often masquerade as internal communications from superiors or other trusted parties, such as a trusted lawyer or business partner. A popular tactic is to represent the malicious file as containing sensitive information that the recipient might not be entitled to know, such as salary information for all of the employees in the company or department—the temptation presented by such “forbidden fruit” is often too great for recipients to resist. Another tactic is for the attacker to research the prospective recipient in advance, and then create a customized lure that appeals to the recipient’s interests, as shown in the following figure.

An example of a lure tailored to its recipient

Lure tailored to its recipient

Click on the Image to Enlarge.

In this case, the attacker determined that the recipient was someone who worked in finance and who would be especially interested in news about financial markets in Asia. Attackers sometimes send several benign messages before any malicious ones, in an effort to build a trust relationship with the recipient.

File attachments to such messages contain malicious code that attempts to exploit a vulnerability in the application which parses the information, such as a word processor or a document reader, when the file is opened. The exploit itself is typically used to install additional malware on the computer, which performs actions such as stealing or destroying files, or connecting to other network resources. As previously stated, in most cases the malicious code attempts to exploit a vulnerability that the software vendor has already addressed, which highlights the importance of keeping all software up to date.

In early Targeted Attacks, the payload, or the actions conducted by the malware, was often performed by a trojan that was specially crafted to search for specific files or types of files, and then upload them to servers controlled by the attacker. For example, one trojan used in a Targeted Attack was designed to search for computer-aided design (CAD) files, which often contain sensitive design diagrams. More recently, Targeted Attacks have been observed to use malware that allows the attacker to connect to the controlled computer, and then dynamically issue new commands, often using custom communications protocols designed to hide the traffic from detection by network monitoring software.

A complicating factor in responding to Targeted Attacks is the difficulty in identifying that activity among the myriad of other cyberthreats that organizations may encounter on a daily basis. According to volume 11 of the Microsoft Security Intelligence Report (SIR), more than 20 million pieces of malware were removed from computers around the world in the second half of 2011. Identifying specific Targeted Attacks within this large threat ecosystem can be challenging for several reasons:

There are many different malicious actors.

These actors have many different motives.

The attacks can look similar, so the nature of the attack does not always help to identify the actor and the motive.

The internet is a shared and integrated domain, where it is not easy to distinguish well-meaning and malicious network activity.

Attributing a Targeted Attack that has been successfully detected is central to many of these challenges. In some countries, law enforcement, the military, intelligence agencies and the private sector therefore attempt to cooperate in building a picture of the threat environment. Conclusive evidence of the “who” and “why” is often though unavailable when a system is under attack, which can make appropriate national and organizational level responses challenging. For example, the attackers usually demonstrate operational sophistication and sometimes operate in shifts, aligning their operations to the time-zone in which the target organization or individual is located. Some attackers have even observed the same public holidays as their targets, regardless of their own physical location. Without additional information, the use of attack timing to locate the attackers can therefore have limited benefit and may even be used to mislead.

However, while attribution may never be perfect, improved categorization of specific attacks, supported by effective sharing of that information between effected parties, can help inform what an appropriate response might be. Being aware of whether the aim of a specific attack is financial crime or the theft of intellectual property, even if the actors remain unknown, will have a meaningful impact on how an organization defends itself.

Top of page Top of Page

Featured Articles


United States Change All Microsoft Sites



Was the information in this article helpful?